The FritzFrog cryptomining botnet has new potential for growth: a recently analyzed variant of the bot is exploiting the Log4Shell (CVE-2021-44228) and PwnKit (CVE-2021-4034) vulnerabilities for lateral movement and privilege escalation.
The FritzFrog botnet
The FritzFrog botnet, initially identified in August 2020, is a peer-to-peer (rather than centrally-controlled) botnet powered by malware written in Golang.
It targets SSH servers by brute-forcing login credentials, and has managed to compromise thousands of them worldwide.
“Each compromised host becomes part of FritzFrog’s network — it communicates with its infected peers to share information, payloads, and configuration,” the Akamai Security Intelligence Group (SIG) noted.
The botnet’s ultimate goal is to use the compromised servers for covert crypto-mining.
New capabilities of the FritzFrog botnet
The bot malware is constantly updated with new and improved capabilities.
“[FritzFrog’s] P2P implementation was written from scratch, reminding us that the attackers are highly professional software developers,” the researchers pointed out.
The latest versions of the malware attempts to target all hosts in the internal network, either via SSH brute-forcing or by exploiting the infamous Log4Shell vulnerability.
“FritzFrog identifies potential Log4Shell targets by looking for HTTP servers over ports 8080, 8090, 8888 and 9000. To trigger the vulnerability, an attacker needs to force the vulnerable log4j application to log data containing a payload,” security researcher Ori David explained.
“FritzFrog sends the Log4Shell payload in numerous HTTP headers, hoping that at least one of them gets logged by the application. This brute force exploitation approach aims to be a generic Log4Shell exploit that can affect a wide variety of applications.”
Its creators are taking advantage of the fact that many organizations have patched Log4Shell on internet-facing applications, but have not yet done the same on internal assets.
FritzFrog also attempts to exploit PwnKit (CVE-2021-4034), a vulnerability in the PolKit Linux component, to rope in the pkexec binary – which runs with root privileges (even when executed by a weak user) – to ultimately load and execute FritzFrog’s binary.
And since PolKit comes pre-installed by default on most Linux distributions, many unpatched devices remain vulnerable, the researchers pointed out.
Finally, FritzFrog manages to evade detection by making sure not to drop files on the disk whenever possible.
Defensive measures
The researchers have provided a detection script enterprise defenders can use to check their SSH servers for indicators of a FritzFrog infection.
In general, though, admins should take care to secure SSH access to their servers with long and unique passwords and by enabling multi-factor authentication.
Network segmentation can foil FritzFrog’s (and other malware’s) lateral movement capabilities. “Software-based segmentation can be a relatively simple solution to spin up that has a long-lasting defensive impact,” the researchers concluded.